Solved

no desktop after removal of malware/viruses

Posted on 2011-09-21
18
576 Views
Last Modified: 2013-11-22
I just cleaned a computer of over 100 malware/viruses, and on reboot, the background picture comes up, and I can see the arrow from the mouse. But no icons, no taskbar, nothing else at all. the windows key does nothing. Ctrl-Alt-Del will bring up the task manager, what can I do/run?
thanks.
0
Comment
Question by:yellow1053
  • 6
  • 6
  • 2
  • +3
18 Comments
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578358
Try this first:

1.Right-click the desktop.
2.Point to Arrange Icons By.
3.Click Show Desktop Icons.

0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578386
If that doesn't work, then from within the Task Manager, try running "Explorer".
0
 

Author Comment

by:yellow1053
ID: 36578389
right click and left click do nothing. arrow never turns to an hourglass either. thanks though.
0
 

Author Comment

by:yellow1053
ID: 36578394
Actually I had tried to manually start explorer but get the following error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
:(
0
 

Author Comment

by:yellow1053
ID: 36578397
oh, and by the way, the same results when in safe mode too. (just no background picture, just black screen).
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578426
The virus has apparently blocked the execution of explorer.exe.

Here's a suggestion of how to create a copy of explorer.exe with a different name "explore.exe".  This should bypass the block.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/123561

1. hit ctrl+alt+delete
2. New task, browse C:\windows.
3. Copy explorer.exe and paste it in C:\windows.  It will be called "copy of Explorer.exe".  Rename it explore.exe
4. Open regedit in C:\windows.
5. Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
6. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe write C:\windows\explore.exe (the new one you just pasted)
7. hit ctrl+alt+delete.
8.newtask, browse C:\windows\explore.exe.
0
 
LVL 6

Expert Comment

by:ckivml
ID: 36578533
Did you try to boot in Safemode if not Please boot your windows in Safemode..

Press F8 and select safe mode

and see how it works
0
 
LVL 91

Expert Comment

by:nobus
ID: 36578746
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 91

Expert Comment

by:nobus
ID: 36578764
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36578783
There is a full and complete explanation of how to fix this problem in the following ee article:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6209-Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files.html?sfQueryTermInfo=1+30+desktop+icon+miss

To quote rpggamergirl:

"...These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it..."

Have you cleared your temp file cache since removing the malware?

0
 

Author Comment

by:yellow1053
ID: 36581648
sjklein42: I get the following error when trying to copy explorer: "Error copying file or folder Cannot copy explorer, access is denied"

ckivml: I did as noted above also try in Safe mode, but have the same results.

Nobus: sysu.exe and ddm_d.exe are not running in the processes. and explorer.exe does not have the hidden attribute set.

phototropic: I did not clear temp files, as I cannot access the desktop or anything since removing the viruses/malware. However, I copied and ran restoresm.zip, but same results on reboot. :(
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36583869
There are several ways the virus can disable access to explorer.exe.  This is the first place I'd check:

http://www.technipages.com/prevent-users-from-running-certain-programs.html

1. Click START>RUN and type GPEDIT.MSC

2. The Group Policy Editor appears.
Click on the plus sign next to User Configuration
then Administrative Templates
then System
and double-click the policy Don’t run specified Windows applications

3.  It should say "Not Configured".  If it says "Enabled", then click the "Show..." button to see if Explorer.exe has been blocked.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36583908
The 'rpg' Article suggested by phototropic at http:#a36578783 is time-tested and has been used by many EE Members since it was published.

Please take a look (as suggested above) and walk through the steps provided:

http://www.experts-exchange.com/A_6209.html
Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36584300
The virus may have blocked access to Explorer.exe by setting Special Permissions on it:

http://support.microsoft.com/kb/308419

At this point, I would load a good copy of Explorer.exe from another XP machine onto a USB drive, change its name to Explore.exe, and run it on the wounded machine directly from the USB drive.  At least then you will have a shell to work in.  Then check the Permissions on the Explorer.exe that is on your hard drive.

Note that you will need to (temporarily at least) disable Simple File Sharing in order to see the Security tab in the File Properties window.
0
 

Author Comment

by:yellow1053
ID: 36584992
sjklein42:  everything went as you said until I clicked on system and your next step "double-click the policy Don’t run specified Windows applications" can't be done as there is NO policy stating "don't run specified windows applications"

younghv: as I stated above, I did all that with no results. (I actually ran command first, and then ran it, so I could see what it was doing, and for all four files the result was 0 files copied. that temp directory doesn't exist.)

sjklein42: Ok! we may be on to something here!!! I did as you suggested and ran from a usb a good copy of explore, and was able to check permissions, (here's where it gets interesting!) I have TWO explorer files there! one is the normal exe file and it's permissions allow for one group "everyone" and is set to Full control. but then there is an explorer.scf file whose permissions are many. there are four groups Administrators, power users, system, and users. Admin and system allow for full control. But power users and users only allow for read and execute, and read.
Could this be the source of my problems??
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 500 total points
ID: 36585613
The .scf file is a shortcut and does not explain why Explorer.exe cannot be accessed.

For now, you can workaround the blocked Explorer.exe and should be able to boot normally after making this change:

- Copy the functional Explore.exe from the USB drive to your c:\Windows folder
- run regedit
-  Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
-. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe, replace with C:\windows\explore.exe (the new file you just copied there)
0
 

Author Closing Comment

by:yellow1053
ID: 36590889
Thanks alot everyone!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now